Android Flaw Allows Remote Code Execution Across Versions: What to Know


Google has patched a number of bugs in its May 2020 Android safety patch. These vulnerabilities are reported to pose excessive threat for shoppers in addition to enterprise and authorities establishments – if exploited. The essential severity flaw CVE-2020-0103, specifically, may enable for distant code execution. It impacts all Android OS builds utilising safety patch ranges issued prior to May 5. Centre for Internet Security (CIS) has listed a complete of 39 excessive threat vulnerabilities in Google’s Android OS that had been patched in latest replace by Google. The organisation notes that fixes for all of those vulnerabilities have been rolled out by Google with May 2020 patch, however different OEMs are but to roll it out to their telephones.

CIS has listed 39 Android OS vulnerabilities in its blog post that pose excessive threat to small, medium, and huge companies and authorities organisations. The organisation notes that there are at present no reviews of those vulnerabilities being exploited within the wild. The most extreme of those vulnerabilities is CVE-2020-0103 which may enable for distant code execution.

The distant code execution vulnerability in CVE-2020-0103 was not detailed on the CVE Mitre web site by NVD, however Google in its safety bulletin on May 1 famous, “The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”

CIS provides, “Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files.” However the harm brought on by these bugs varies based mostly on the privileges related to malicious apps. In the worst case state of affairs, an attacker may set up packages; view, change, or delete information; or create new accounts with full person rights.

Google Updates Chrome After Spotting ‘Critical’ Security Vulnerability

“If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” CIS provides.

The latest Android Bulletin notes that each one of those vulnerabilities have been patched with the newest May 2020 Android safety patch dated May 5. Out of the 39 vulnerabilities, 36 had been categorised as high-severity, 1 was categorised reasonable, and a pair of had been categorised as essential. Apart from CVE-2020-0103, the opposite critical-severity flaw (CVE-2020-3641) was in Qualcomm closed supply part, and has not but been detailed.

CIS advises OEMS to apply acceptable updates by Google or cell carriers to weak techniques, instantly after acceptable testing. It additionally recommends customers to obtain solely trusted vendor apps through Google Play Store. Users ought to train warning and consider earlier than visiting un-trusted web sites or observe hyperlinks offered by unknown or un-trusted sources. For those that are conscious of finest safety practices should inform and educate others concerning threats posed by hypertext hyperlinks contained in un-trusted emails or attachments.

Hackers Exploiting Bug in Microsoft Email Servers

As talked about, Google has rolled out the May 2020 Android safety patch to Pixel units already.


How are we staying sane throughout this Coronavirus lockdown? We mentioned this on Orbital, our weekly expertise podcast, which you’ll subscribe to through Apple Podcasts or RSS, download the episode, or simply hit the play button under.

Leave a Reply

%d bloggers like this: